Following all the marketplaces that got hacked, and the fact that many of them were based on the Bitwasp software, we were very happy when the founder of Bitwasp contacted us and offered to answer some questions regarding Bitwasp, DarkNet uses, Security and the latest & future developments of the Bitwasp market software, we have spoken to the Bitwasp team:

If you feel like helping to the Bitwasp project and contribute for the future development of better marketplaces you can donate to this bitcoin address: 19EkDTAaGWySZv1QsWxyWwYMZpo7jpvPYe
The developer is working full time on this project, is unemployed and living off the donations so he would really appreciate donations!
You can find more information here: http://bitwasp.co/

Screenshot of the new design of the new Bitwasp Version

So, What can you tell us about the new finished, but beta version of Bitwasp?

Thomas: Our major milestone will be publishing a full version of the Bitwasp code running multisig. Multisig will remove the trust users need to have in the site operator, and at each step of making payment and signing, the user has all the information they need to make an informed decision before proceeding. Users will never pay to an address that one party has control over, meaning less exposure when operators setting up a site. No one wants to be responsible for losing coin, as there’s often little recourse. But with multisig, even if the site experiences downtime, once buyers and sellers can communicate on another channel they can recover the funds.

Multisig, or P2SH addresses, have been supported since 2012, so it’s insane that there isn’t more support for it. Bitwasp will be one of the first few sites to implement multisig, let alone publish all the code behind it.

The code itself has been effectively been implemented behind the scenes, however a lot of work remains before it’s finalized, and ready to be published. The software still needs a lot of work, but most of the ground work is done.

But this release will see a huge change – no live wallet, or notion of ‘user balances’. An admin configures an electrum master public key to create public keys/addresses, vendors upload a list of them, buyers enter them on a per-order basis. The order process essentially guides users through steps of a multisiganture transaction.

Once buyers pay to the multisig address, an unsigned transaction is created which pays the vendor, and the operators fee. In an up-front payment, the buyer must sign the transaction immediately after paying, and the vendor signs and broadcasts to indicate they’ve dispatched. In an escrow order, after payment is made, vendors would sign to indicate dispatch, and the buyer signs and broadcasts once they receive the goods. Otherwise a dispute is made, and the admin will talk it out with the buyer/seller. A new transaction is created by the admin when an acceptable solution is found. Recently a feedback system was built in, to further assist trustless transacting.

The effort of creating public keys in advance is something that I’d love to change, but I don’t think it’s reasonable to ask everyone for an Electrum MPK.. Support for BIP32 extended public keys ( M/k’ ) to automate this for all users is another milestone in the future – with this users could enter their extended key, allowing Bitwasp to generate public keys/addresses for multisig keys/receiving money, but ultimately means keys are all deterministically derived from one single seed.

Here is a gallery showing the process of placing an order using the new multisig:

[nggallery id=3]

How large is the community around Bitwasp and how do you reach broader audience? (as we know with Opensource this is the most important factor when it comes to development)

Cameron: It’s difficult to say. We only recently found out that over 10 Darknet Bitwasp marketplaces have been setup. I’d say it is pretty large considering we haven’t done much promotion, yet our Facebook page as over 400 likes – and considering what appears to be the main interest, most people wouldn’t like such a page with their Facebook account. Additionally 140 members are on our forum. That isn’t a lot but it is a decent number considering the incredibly small amounts of advertising we’ve done. I suspect it will easily grow orders of magnitude larger once we release a finished product, even if it is in alpha or beta and also have our Bitwasp.co site launched.

Thomas: The forums usually sees new people coming and going, a few faces hanging around for longer.

Is there some business plan behind it or it will stay completely free and open source?

Cameron: We are planning on launching our own marketplace at Bitwasp.co and hope to see apps for Bitwasp being sold, along side various other legal items. We will also be selling items on our site as well. Hopefully it will become the next well known legal bitcoin marketplace.

Do you consider the use of the current version as Wreckless and disappointing behavior?

Thomas: Bitwasp is highly experimental software, and it should be regarded that any Bitwasp implementation running a live wallet is taking unnecessary risks with user funds. We have never made an alpha release, and typically the only change to the software in site’s we’ve seen is they remove the ‘NOT IN PRODUCTION, USE ONLY ON TESTNET’ notice. Until http://test.bit-wasp.org no longer has this banner, people shouldn’t trust them.

Will you offer bounties for discovering exploits?

Cameron: Since protecting security and privacy while facilitating transactions is our primary goal it is important that people are motivated audit our software and report these bugs and exploits to us so they can be fixed.

The best way to motivate people is money. So we will be rewarding the person who finds the most exploits, and other issues with 3 bitcoins. The winner will be determined by a point system, whoever has the most points win. Exploits that can take bitcoins from the site or the users are worth 3 points, exploits that can access the database and read messages or other data provided by users are worth 2 points, and any other general bugs or exploits that don’t really jeopardize privacy, security or bitcoins are worth 1 point. This contest will be held after our first release and go for a month.

Will You have all these SQL Injections issues sorted in the new version? How come they are not sorted till now?

Cameron: Give us more info on this SQL injections… what have you heard about them? We’ve gotten little to no feedback in this area as far as I know.

I don’t know much about them, only that they exists, i have reached out to couple of the security guys who have experienced with Bitwasp Injections and offered that they will contact you. but here is one example taken from a previous published post about security exploits:

Thomas: Hard to say without details. Most likely an error in the items by categories / locations pages. I’ve noticed that most of the ‘hacked’ accusations take place on reddit, little technical detail is ever gven.

Do you get the inputs from all the hacked markets (i mean on the technical level) about stuff that needs to be fixed?

Cameron: No. I think the only one we even knew how it got hacked was FloMarket and it was an issue we had already known about.

Can you elaborate on how Flomarket Got hacked technically? assuming its fixed now. (we are still happy to know it was hacked and not a scam and that the admin was telling the truth in the interview we have done with him)

Cameron: This question needs to be answered by the developer. http://bit-wasp.org/index.php?topic=28.90) but in the next version It is fixed because we’ve entirely changed the way transactions are processed via 2/3 multisignature transactions. This way private keys or bitcoins are never held by the Bitwasp site admins or on the servers.

Thomas: In the copy of Bitwasp that Flole used, there was an issue whereby when orders were being added to the database, if the bitcoin amount was out of range (say, 0.0001 satoshis), value like 99 would be entered. It was a subtle type error with disastrous consequences, as obviously if this order was cancelled, the buyer would be credited with 99BTC. Or that’s what we believe. This has been fixed now, since refactoring order system around multisig. Flomarket was really a sign of how the future would go if Bitwasp didn’t remove live wallets.

Have you seen any markets nowadays that are based on Bitwasp that you can say are secured?

Cameron: Nope, but we haven’t really looked. We didn’t even realize very many people were using our clearly unfinished software. The longest lasting seems to be Tor Bazaar but we’re not sure about that either.

What do you think / feel About DarknetMarkets operators using your software?

Cameron: It’s exciting and comical. It is also unfortunate that they used the unfinished software for live marketplaces and with real bitcoins. We clearly say that it is not finished, is still being developed and to use on testnet only. Unfortunately some have falsely claimed to have fixed issues which lead to people losing their money or privacy. While it doesn’t seem very profitable or logical to launch a darknet marketplace and we’re not at all condoning doing so, we are happy to see that there is interest in the software and that many people are enthusiastic about what we’re doing.

Do you have any general advice for Bitwasp operators?

Thomas: Much of the barrier of entry to any company considering working with bitcoin is they simply can’t all afford to hire someone to code the system, but Bitwasp has lots of libraries, suited to make developing with it really easy, in Bitwasp or other projects. We’re really hoping it will inspire some inventive new businesses.

Cameron: Consider getting creative with our software. Don’t forget that things such as Airbnb, cryptocurrency exchanges, freelance sites, and Lyft are all technically just marketplaces. why not make it into a freelance site or embrace the First-sale doctrine and have a site that sells incredibly cheap digital files? I feel like such things would get far more attention and

Do you have any advice for DarkNet Marketplace operators Bitwasp operators?

Cameron: Do not do it. It is not worth it. It isn’t going to be profitable to launch a dark net marketplace because the barrier to entry is incredibly low (the cost of hosting + setup time of the free software?) and the risk of going to prison if you slip up is just as high. It takes a lot to stay truly hidden in this networked world, and law enforcement only have to be lucky ones before you find yourself in serious trouble. Launching a unique clearnet marketplace would be far more profitable and less dangerous.

What kind of issues have you faced during development?

Thomas: This copy of Bitwasp has been in development since August 2013. We started before, but due to commitments like college, etc, it was hard for the project to proceed at a fast pace. Since August however, we have covered a lot of ground. Since then, the developer took a job elsewhere, before quitting to devote his full time to the project last February. It’s taken a lot of work to get this far, and we’re trying to do something great. We have received donations to date which the dev is currently living off, so if anyone is happy about what we’re doing, and can afford to give a little to keep us going, please donate! It’s not just Thomas, we have paid out bounties in the past (2.7BTC for someone who helped us fix low entropy private keys (guess we won’t need that now with multisig.. but glad he helped!), and 2BTC for Harris Kalash, who is working on a new layout for Bitwasp to work on all devices), as well as someone for finding an issue in our codes session management.

Thomas: We’d ask everyone to weigh in on what we’re doing, and the features we’re offering. We’re hoping that Bitwasp can lower the barrier of entry to taking part in bitcoin ecommerce, as a buyer or seller, in a secure way. The unbanked population, and also those in countries with strict financial control face difficulties getting involved in ecommerce, and Bitwasp is making it possible to do it all with a webserver and the satoshi client. Any suggestions, feedback on what we’ve done, or features you’d like to see as a buyer/seller, please drop us a line on our forums: http://bit-wasp.org

If anyone wants to join the Bitwasp community / help / donate / develop how can he contact you?

Cameron: To stay updated on the open source project join the Bitwasp forum ( The developers PGP key is here): http://bit-wasp.org

But if you’d just like to join our Clearnet site (Bitmit alternative) when we launch, submit your email here: http://Bitwasp.co

Bitcoin address: 19EkDTAaGWySZv1QsWxyWwYMZpo7jpvPYe
Since the developer is working full time on this project, is unemployed and living off the donations we would really appreciate donations. We have been and intend to reward people who find exploits.

We want to thank the Bitwasp team for taking the time and answering our questions, and we wish them good luck with the future development! and at the same time we hope that the message from this interview will reach the people that are planning to start another marketplace using the current Bitwasp version.

You might also like

5 comments

@the admin: You surely need a proof reader, your english and grammar seriously suck. I wouldn’t be surprised if you work part-time at a call centre in India. As on the topic, good to hear from the folks behind the application and their views on it. I’d think to just single out bitwasp based markets is unfair as at the moment ANY DarkNet market running with hot wallets is criminal (what isn’t)! SR2, BMR, Pandora,TM and pretty much all others had their coins stolen for it or have claimed so. Closed source or open source almost every one of them markets have been hacked and coins stolen so multi sigs are the way to go and kudos to the developers for implementing it. The rest boils down to operators to secure their networks and plug in the loopholes and iron out the bugs.

Ahh known problem. I am not a native english speaker, its listed in our about page and in some of our articles, although not from india, and my job is much better than call center i can tell you that :)

We would love to get someone to proof read if anyone is interested and is very quick to deliver.

Since when has DDW become the new self-imposed certifying authority on DNMs? Anyone is free to run and operate a marketplace with bitwasp or not. They ought to be fully well aware of the risks involved by doing so. The onus is just as much as on the site users to take due diligence and precuations and by encrypting all their communications. As well as for which markets they sign up for, users should never take the operators word for good measure. If people are dumb enough to continue to use SR2 and the likes it’s only evident that they’d never be shortage of morons and that there is their incentive.

The bolded word in the post above should rather be on “Live wallet’ instead, as with DNMs we’ve seen enough hacks and scams over it. Every one of them including all these so called closed-source markets which were ‘built from scratch’ and bragged about their security, one too many to name them (can be viewed in the hall of shame link, for further reading.)

As much as the developers do not seem to acknowledge it, but I’d wager my bet that the entire development of BitWasp would have come through such markets and through their technical contributions along the way, as well as by going belly up which would have been the learning curve. As I see it that’s the silver lining and had it not been for such hacks, the team at BitWasp would have never been looking towards implementing multi sigs or for patching some of these critical issues.

Besides some of your question put forth were dumb as, to say the least. Asking developers on curernt markets security was outright stupid. For beyond the application layer, for how would they even be remotely aware to comment on any of the operators and on their servers and/or overall security?

Do not be disheartened all you wanna-be BitWasp market operators. There will never be a shortage of morons to signup. For all junkies want, is their fix. Most of the average joe here struggles with pgp, and proper implementation of multi sigs and support for it is a light year away and way beyond their pea-sized brains but on personal note, do implement it as it goes a long way show your true intentions and commitment.